• Vishing for Access: Tracking the Expansion of ShinyHunters-Branded SaaS Data Theft Mandiant Google Threat Intelligence Visibility and context on the threats that matter most. • Contact Us & Get a DemoIntroduction Mandiant has identified an expansion in threat activity that uses tactics, techniques, and procedures (TTPs) consistent with prior ShinyHunters-branded extortion operations. • These operations primarily leverage sophisticated voice phishing (vishing) and victim-branded credential harvesting sites to gain initial access to corporate environments by obtaining single sign-on (SSO) credentials and multi-factor authentication (MFA) codes. • Once inside, the threat actors target cloud-based software-as-a-service (SaaS) applications to exfiltrate sensitive data and internal communications for use in subsequent extortion demands. • Google Threat Intelligence Group (GTIG) is currently tracking this activity under multiple threat clusters (UNC6661, UNC6671, and UNC6240) to enable a more granular understanding of evolving partnerships and account for potential impersonation activity. • While this methodology of targeting identity providers and SaaS platforms is consistent with our prior observations of threat activity preceding ShinyHunters-branded extortion, the breadth of targeted cloud platforms continues to expand as these threat actors seek more sensitive data for extortion.

Article Summaries:

  • Mandiant and Google Threat Intelligence Group (GTIG) have reported a growing wave of ShinyHunters‑branded attacks that use vishing and victim‑branded credential‑harvesting sites to steal single‑sign‑on (SSO) credentials and MFA codes. The threat actors then move laterally into cloud‑based SaaS platforms, exfiltrating sensitive data and internal communications for extortion. The activity is tracked under threat clusters UNC6661, UNC6671, and UNC6240 and has expanded to target a broader range of cloud services, including Okta accounts. No product vulnerability is involved; the attacks rely on social engineering. Mandiant and Google have issued hardening guides and operational playbooks, urging firms to adopt phishing‑resistant MFA such as FIDO2 keys.

Sources: